DiscussionSLA
Sign inSign up

Troubleshooting License Authorization Issues

Published 2 months ago

# SafeLine WAF
Resources

Published 2 months ago

xiaobing.wang

Updated 23 days ago

3

Some professional users may encounter an authorization error when activating a license key. This error indicates a communication issue between the Safeline server and the license server. Follow the steps below to diagnose and resolve the issue.

Step 0: Set License Server Domain Variable

First, set the license server domain based on your WAF version:

1# For WAF version >= 8.0.0
2LICENSE_SERVER="safeline.stream.safepoint.cloud"
3
4# For WAF version < 8.0.0
5LICENSE_SERVER="safeline-cloud.chaitin.com"

Step 1: Verify Host Network Connectivity

Run a telnet test on the Safeline server to check if the network is functioning properly. If you see Connected to $LICENSE_SERVER, the host network is working correctly.

1$ telnet $LICENSE_SERVER 50052
2Trying 120.26.93.124...
3Connected to $LICENSE_SERVER.
4Escape character is '^]'.
5^C
6Connection closed by foreign host.

If the connection fails, check whether the host has internet access and whether the cloud provider's security group allows outbound traffic.

Step 2: Verify Container Network Connectivity

The Safeline licensing client runs inside the safeline-mgt container. If the host network is working, confirm that the container can access the internet. Since telnet is not available in the mgt container, use ping to check network connectivity:

1$ docker exec safeline-mgt ping $LICENSE_SERVER
2PING $LICENSE_SERVER (120.26.93.124): 56 data bytes
364 bytes from 120.26.93.124: seq=0 ttl=44 time=32.424 ms
464 bytes from 120.26.93.124: seq=1 ttl=44 time=32.374 ms

If ping fails, analyze traffic flow as follows:

Check iptables Rules

Inspect outbound rules for any DROP entries:

1iptables -L -v -n --line-numbers

Use tcpdump to Capture Traffic

Capture TCP traffic between the server and the licensing server to determine if the handshake completes successfully.

1$ tcpdump -i any -nn host $LICENSE_SERVER

Example output:

16:45:45.253527 eth0  Out IP 172.22.189.247.42790 > 120.26.93.124.50052: Flags [S], seq 808064468, win 64240, options [mss 1460,sackOK,TS val 1020606707 ecr 0,nop,wscale 7], length 0
16:45:45.283391 eth0  In  IP 120.26.93.124.50052 > 172.22.189.247.42790: Flags [S.], seq 3474622497, ack 808064469, win 65160, options [mss 1460,sackOK,TS val 1564198957 ecr 1020606707,nop,wscale 7], length 0

Conclusion

  • If iptables or nftables blocks traffic, adjust the rules.
  • If SYN packets are sent but no response is received, investigate network issues or check if the target server is reachable.
  • If NAT/SNAT issues exist, inspect iptables -t nat rules.

Start by capturing packets to confirm if SYN packets are sent successfully, then use iptables and conntrack tools for further debugging.

Related Posts
#
Is there a way to self host challenge.js?
#
Can we Limit Requests based on Request Body, not Query !
#
Attack count discrepancy?
#
I can't activate the license for "Appli Failed"
#
Disable access to IP safeline